CN113721586B - Deception attack detection method for industrial process control loop - Google Patents
Deception attack detection method for industrial process control loop Download PDFInfo
- Publication number
- CN113721586B CN113721586B CN202110961236.1A CN202110961236A CN113721586B CN 113721586 B CN113721586 B CN 113721586B CN 202110961236 A CN202110961236 A CN 202110961236A CN 113721586 B CN113721586 B CN 113721586B
- Authority
- CN
- China
- Prior art keywords
- attack
- industrial process
- control loop
- process control
- loop
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000004519 manufacturing process Methods 0.000 title claims abstract description 30
- 238000001514 detection method Methods 0.000 title claims abstract description 23
- 238000000034 method Methods 0.000 claims abstract description 25
- 238000005259 measurement Methods 0.000 claims abstract description 7
- 238000004886 process control Methods 0.000 claims 1
- 238000010586 diagram Methods 0.000 description 6
- 238000013459 approach Methods 0.000 description 4
- 230000000694 effects Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000012544 monitoring process Methods 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 239000003921 oil Substances 0.000 description 1
- 238000007670 refining Methods 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B23/00—Testing or monitoring of control systems or parts thereof
- G05B23/02—Electric testing or monitoring
- G05B23/0205—Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults
- G05B23/0218—Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterised by the fault detection method dealing with either existing or incipient faults
- G05B23/0243—Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterised by the fault detection method dealing with either existing or incipient faults model based detection method, e.g. first-principles knowledge model
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/20—Pc systems
- G05B2219/24—Pc safety
- G05B2219/24065—Real time diagnostics
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Landscapes
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Engineering & Computer Science (AREA)
- Automation & Control Theory (AREA)
- Testing And Monitoring For Control Systems (AREA)
Abstract
The invention discloses a deception attack detection method of an industrial process control loop, which aims at a specific control loop in an industrial process, utilizes normal historical input and output data to carry out closed-loop identification, calculates a controlled object model, and utilizes the deviation between a measurement signal and the output of the controlled object model to carry out attack detection. The method models the control system and has good interpretability. The attack detection of the method is specific to each control loop in the industrial process, particularly a key loop with high attack risk, and can quickly and accurately position the attacked control loop, so that the method has important value on the safety protection of an industrial process control system.
Description
Technical Field
The invention relates to the field of safety protection of industrial control systems, in particular to a deception attack detection method of an industrial process control loop.
Background
Network communication technology has been widely used in industrial process control systems in recent years, but this also makes spoofing attacks a serious threat to industrial process production security. The spoofing attack can tamper with the state information of the controlled physical object collected by the sensor by acting on a communication line between the sensor and the controller of the control system, thereby influencing the normal operation of the closed-loop control system. This requires that the industrial process control system be able to monitor the injection control loop for attack signals in real time.
The existing cheating attack monitoring method is mainly based on a simple data driving technology, and achieves attack monitoring by extracting data correlation characteristics under a normal operation condition. However, such methods are generally poorly interpretable and do not take into account structural features within the industrial process control system. In addition, the method is difficult to accurately attack and position in time after detecting the attack, which causes difficulty in effective safety protection of the industrial process control system.
Therefore, there is a need for an attack detection method capable of accurately detecting an attack in a control system and quickly locating a specific control loop after detecting the attack, so as to meet the safety protection requirements of the industrial process control system to a greater extent.
Disclosure of Invention
The invention provides a deception attack detection method of an industrial process control loop aiming at the problems in the background technology. According to the method, after input and output signals of the closed-loop system during normal operation are collected, model identification is firstly carried out on the closed-loop system. On the basis, a controlled object model is calculated, and a system is constructed based on model output and measurement signals to carry out attack monitoring, so that rapid and accurate safety protection on a specific control loop in an industrial control system can be realized. The method comprises the following steps:
1) For industrial processes G p (s) and a controller G c (s) collecting input data r(s) and output data y(s) under normal operating conditions, wherein the collected data includes r(s) data changes and corresponding y(s) data changes of no less than k =1 time;
2) Performing closed-loop system identification based on r(s) and y(s) by adopting a least square method to obtain a closed-loop system model G m (s) where r(s) is the reference input, G c (s) is a controller, u(s) is a control input, G p (s) is the controlled object, y(s) is the system output;
3) If G is m If time delay exists in the step(s), the step 3) is carried out after the time delay part is approached, otherwise, the step 3) is directly carried out, wherein the adopted approach mode comprises first-order pad approach, second-order pad approach and Taylor approach;
4) Using closed loop system model G m (s) and the known controller model G c (s) calculating the controlled object G p (s) estimation model
5) Computing
Is greater or less than>
And the measurement signal y T (s) deviation->
6) If it is
If one of the following attack judgment conditions is met, the attack is regarded as existing, and the step 7) is carried out, otherwise, the step 5) is returned:
attack determination condition 1:
is greater than or equal to>
A Th Is an amplitude threshold;
attack determination condition 2:
is greater than or equal to>
K Th Is a slope threshold;
attack determination condition 3: condition 1 and condition 1 duration is greater than T Th ,T Th Is a duration threshold;
attack determination condition 4: condition 2 and
continues to increase.
7) Identifying attack types according to the following rules, carrying out safety early warning, and turning to the step 5):
a) Judging the surge attack only if the attack judgment condition 1 is met;
b) If the attack determination conditions 2 and 3 are satisfied, determining that the system is a bias attack;
c) If the attack determination conditions 1 and 4 are satisfied, the system is determined to be a geometric attack.
Has the advantages that:
the invention discloses a deception attack detection method of an industrial process control loop, which establishes a closed-loop system model on the basis of data driving and has good interpretability. The attack detection is specific to each control loop in the industrial process, particularly a key loop with high attack risk, can quickly and accurately position the attacked control loop, and has important value for safety protection of an industrial process control system.
Drawings
FIG. 1 is a schematic diagram of an industrial control loop spoofing attack of the present invention;
FIG. 2 is a flow chart of a spoofing attack detection method of the present invention;
FIG. 3 is a simulation diagram of the control system under normal operating conditions in the embodiment of the present invention;
FIG. 4 is a comparison graph of step responses of the controlled object model and the actual object in the embodiment of the present invention;
FIG. 5 is a schematic diagram of a spoofing attack detection system in an embodiment of the invention;
FIG. 6 is a diagram illustrating the effect of surge attack detection in an embodiment of the present invention;
FIG. 7 is a diagram illustrating the detection effect of a bias attack in an embodiment of the present invention;
fig. 8 is a diagram illustrating the effect of detecting geometric attacks in the embodiment of the present invention.
Detailed Description
The present invention will be further described with reference to the accompanying drawings and specific embodiments, wherein specific operation flows illustrate the implementation effect of the method in the detection of attack on a specific control loop of an industrial process system. The present embodiment is implemented on the premise of the technical solution of the present invention, but the scope of the present invention is not limited to the following examples.
The spoofing attack detection method of the present invention is specifically described with reference to a closed loop control loop shown in fig. 1 for a specific control loop in an industrial process control system: in the figure r(s) is the reference input, G c (s) is the controller, u(s) is the control input, G p (s) is the controlled object, y(s) is the systemAnd (5) outputting the system. The attack a(s) acts on a communication line between a sensor and a controller of the control system, and the controller cannot receive real data due to tampering of state information of a controlled physical object acquired by the sensor, so that the normal operation of the closed-loop control system is influenced.
In this embodiment, taking the feeding temperature control loop of the primary tower in an industrial oil refining process as an example, the feeding temperature of the primary tower is required to be 250 + -5 ℃, and is considered as abnormal when the variation exceeds 250 + -10 ℃, i.e. A in this embodiment Th Taken at 10 ℃ T Th Take 10s, K Th Take 5 ℃/s.
The flow of this embodiment is shown in fig. 2, and the specific implementation steps are as follows:
1) The input and output data of the industrial process control loop under normal operation conditions are collected, in the embodiment, the control loop shown in fig. 3 is established, and the controlled object is a typical first-order pure hysteresis process
The loop is controlled by proportional integral, wherein the proportionality coefficient K p =0.725, integral coefficient K i =0.0665, i.e. controller
By varying the reference input signal r(s) and deriving the output data y(s);
2) Performing closed loop system identification to obtain G m (s) is a second-order time delay process with zero:
and fitting parameters in the model by adopting a least square method, wherein the fitting result is as follows:
3) The presence of a delay component e in the closed-loop model -2.43s This example uses a second order pad approximation for fittingNamely:
due to T d =2.43, so:
the closed loop transfer function after the approximate time delay is as follows:
4) Calculating a controlled object model:
in combination with known controllers
Can obtain the product
The model describes the system dynamics and the actual G p (s) are substantially identical, e.g., the output curves are substantially identical for the same step action, as shown in FIG. 4;
5) The spoofing attack detecting system designed in this case calculates as shown in fig. 5
Is greater or less than>
And the measurement signal y T (s) deviation->
8) If it is
If any attack judgment condition is met, judging that an attack exists and turning to the step 7), otherwise, returning to the step 5);
9) Identifying attack types and carrying out safety early warning, and turning to the step 5):
in this example, three typical industrial process spoofing attacks are detected, respectively:
i. and (3) surge attack:
bias attack:
geometric attacks: y is T (t)=y(t)+a(t)=y(t)+10 (t/16.65)-2.5 t∈(0,66.6s)
In the above 3 attacks, the attack signal a (t) is superimposed on the output signal y (t) at different times so that the measurement signal y T (t) is no longer the same as y (t); meanwhile, in order to further approximate a real scene, random noise is also superimposed in the output signal. Three attack signals a (t) and detected attack signal
The comparisons are shown in fig. 6, 7 and 8, respectively. As can be seen from fig. 6, for a surge attack applied at time t =16.65s, which satisfies attack determination condition 1, it can be successfully detected and determined as a surge attack. As can be seen from fig. 7, the amplitude of the detection signal is greatly increased at the actual time of injecting the offset attack, i.e., t =16.65s, and continues to 39.96s, i.e., the offset attack process is ended, during which the detection signal satisfies attack determination conditions 2 and 3, and is determined as the offset attack. Fig. 8 shows that, even for a geometric attack which is difficult to detect, the detection signal obtained by the method can better match with the actual attack signal, and the geometric attack is determined as the geometric attack by satisfying the attack determination conditions 1 and 4. />
Claims (8)
1. A deception attack detection method of an industrial process control loop is characterized in that aiming at a specific control loop in an industrial process, closed loop system identification is carried out by collecting normal historical data, a controlled object model is further calculated, and attack detection is carried out by utilizing deviation between a measurement signal and the output of the object model, and the method mainly comprises the following steps:
1) For industrial processes G p (s) and a controller G c (s) an industrial process control loop that collects input data r(s) and output data y(s) under normal operating conditions;
2) Performing closed-loop system identification based on r(s) and y(s) to obtain a closed-loop system model G m (s) where r(s) is a reference input, G c (s) is the controller, u(s) is the control input, G p (s) is the controlled object, y(s) is the system output;
3) If G is m If time delay exists in the step(s), approaching the time delay part and then turning to the step 3), otherwise, directly turning to the step 3);
4) Using closed loop system model G m (s) and the known controller model G c (s) calculating the controlled object G p (s) estimation model
5) Computing
Is greater or less than>
And the measurement signal y T (s) deviation->
6) If it is
If any attack judgment condition is met, the attack is considered to exist and step 7) is carried out, otherwise, the operation returnsStep 5);
7) Identifying the attack type and carrying out safety early warning, and turning to the step 5).
2. A method as claimed in claim 1 wherein the collected data includes r(s) data changes and y(s) data changes corresponding thereto not less than k =1 times.
3. The method of claim 1, wherein the model G is identified using a least squares method m (s) is determined.
4. The method of claim 1, wherein the delay element is approximated by a first-order pad approximation, a second-order pad approximation, or a Taylor approximation.
5. The method of claim 1, wherein the controlled object G is calculated using the following equation p (s) estimation model
6. A method of detecting spoofing attacks within an industrial process control loop as recited in claim 1 wherein the detectable spoofing attacks include surge attacks, bias attacks and geometric attacks.
7. A method of spoofing attack detection in an industrial process control loop as in claim 1 wherein said detecting comprises detecting a spoofing attack in a process control loop
An attack is considered to exist if one of the following attack decision conditions is satisfied:
attack determination condition 1:
in conjunction with an absolute value of the amplitude->
A Th Is an amplitude threshold;
attack determination condition 2:
is greater than or equal to>
K Th Is a slope threshold;
attack determination condition 3: condition 1 and condition 1 duration is greater than T Th ,T Th Is a duration threshold;
attack determination condition 4: condition 2 and
continues to increase.
8. A spoof attack detecting method of an industrial process control loop according to claim 7, wherein the type of spoof attack is identified according to the attack decision condition satisfied by the detection signal:
a) Judging the surge attack only if the attack judgment condition 1 is met;
b) If the attack determination conditions 2 and 3 are satisfied, determining that the system is a bias attack;
c) If the attack determination conditions 1 and 4 are satisfied, the system is determined to be a geometric attack.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110961236.1A CN113721586B (en) | 2021-08-20 | 2021-08-20 | Deception attack detection method for industrial process control loop |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110961236.1A CN113721586B (en) | 2021-08-20 | 2021-08-20 | Deception attack detection method for industrial process control loop |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113721586A CN113721586A (en) | 2021-11-30 |
| CN113721586B true CN113721586B (en) | 2023-03-28 |
Family
ID=78677144
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110961236.1A Active CN113721586B (en) | 2021-08-20 | 2021-08-20 | Deception attack detection method for industrial process control loop |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113721586B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114527651B (en) * | 2022-01-21 | 2025-03-11 | 深圳市三旺通信股份有限公司 | Control system attack detection method, detection system, device and storage medium |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5245528A (en) * | 1989-03-20 | 1993-09-14 | Hitachi, Ltd. | Process control apparatus and method for adjustment of operating parameters of controller of the process control apparatus |
| CN106878257B (en) * | 2016-12-14 | 2021-04-27 | 南京邮电大学 | Industrial network closed-loop control method and system with intelligent attack protection |
| CA3080399A1 (en) * | 2017-10-30 | 2019-05-09 | The Research Foundation For The State University Of New York | System and method associated with user authentication based on an acoustic-based echo-signature |
| CN111708350B (en) * | 2020-06-17 | 2022-12-20 | 华北电力大学(保定) | Hidden false data injection attack method for industrial control system |
-
2021
- 2021-08-20 CN CN202110961236.1A patent/CN113721586B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN113721586A (en) | 2021-11-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110365647B (en) | A detection method of fake data injection attack based on PCA and BP neural network | |
| CN111079271B (en) | Industrial information physical system attack detection method based on system residual fingerprint | |
| CN105933681B (en) | Sensitivity self-adapting regulation method towards Activity recognition | |
| CN113721586B (en) | Deception attack detection method for industrial process control loop | |
| CN114544040B (en) | Pile group node stress monitoring system based on neural network algorithm and early warning method thereof | |
| US11657150B2 (en) | Two-dimensionality detection method for industrial control system attacks | |
| KR101915236B1 (en) | Integrated security management systme for smart-factory | |
| CN115220396A (en) | Intelligent monitoring method and system for numerical control machine tool | |
| CN113794742A (en) | High-precision detection method for FDIA of power system | |
| CN108345711A (en) | Based on event driven EMU robust sensor intermittent fault detection method | |
| Mokhtari et al. | Measurement data intrusion detection in industrial control systems based on unsupervised learning | |
| CN114996706A (en) | Intelligent traffic false data attack detection method based on unknown input observer | |
| Hong et al. | $ R $-print: A system residuals-based fingerprinting for attack detection in industrial cyber-physical systems | |
| CN118413265B (en) | Satellite online state monitoring system and method | |
| CN113741372B (en) | Method for reducing error alarm of deviation attack of industrial process control system | |
| CN113009817A (en) | Industrial control system intrusion detection method based on controller output state safety entropy | |
| US20240340291A1 (en) | Technique for detecting cyber attacks on radars | |
| CN114884735B (en) | Multi-source data intelligent evaluation system based on security situation | |
| CN117193241A (en) | Unmanned aerial vehicle autonomous cruise track consistency anomaly detection method based on statistical analysis | |
| Zhongwei et al. | Cooperative adaptive cruise control for vehicles under false data injection attacks | |
| CN205028123U (en) | Non -contact intrusion detection system of SCADA system | |
| CN115134162B (en) | Method for detecting and compensating malicious threat of industrial control system and electronic equipment | |
| CN106289735B (en) | The rigid chalaza detection method of breaker based on closing pressure curve and system | |
| CN114785589B (en) | Intrusion detection and location method and system based on control invariant modeling | |
| CN118823902B (en) | Automobile storage battery monitoring system and method based on Internet of things |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |